Symantec: Leaked Flash zero-day likely to be exploited by attackers
Security software firm Symantec have confirmed the existence of a new zero-day vulnerability in Adobe Flash, which could allow attackers to remotely execute code on a targeted computer.
Symantec says since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued.
Details of the vulnerability surfaced following a cyberattack against the controversial Italian hackers-for-hire firm Hacking Team. Proof-of-concept code for exploit of the vulnerability was part of a large cache of internal information leaked by the attackers, Symantec explains in a blog post.
“Given the source of the proof-of-concept code, it is possible that this vulnerability has already been exploited in the wild,” the company writes. “Following its disclosure, it can be expected that groups of attackers will rush to incorporate it into exploit kits before a patch is published by Adobe.”
Analysis by Symantec has confirmed the existence of this vulnerability by replicating the proof-of-concept exploit on the most recent, fully patched version of Adobe Flash (220.127.116.11) with Internet Explorer.
Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected computer.
Adobe has yet to comment on the vulnerability and a patch has not yet been published, Symantec says. “Symantec regards this vulnerability as critical since it could allow attackers to remotely run code on an affected computer, effectively allowing them to take control of it,” it says.
Symantec says users who are concerned about this issue can temporarily disable Adobe Flash in their web browser.